Hello community, here is the log from the commit of package ghc-hackage-security for openSUSE:Factory checked in at 2016-10-19 13:04:12 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ghc-hackage-security (Old) and /work/SRC/openSUSE:Factory/.ghc-hackage-security.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ghc-hackage-security" Changes: -------- --- /work/SRC/openSUSE:Factory/ghc-hackage-security/ghc-hackage-security.changes 2016-07-21 08:12:21.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.ghc-hackage-security.new/ghc-hackage-security.changes 2016-10-19 13:04:13.000000000 +0200 @@ -1,0 +2,5 @@ +Fri Sep 16 21:16:02 UTC 2016 - psim...@suse.com + +- Update to version 0.5.2.2 with cabal2obs. + +------------------------------------------------------------------- Old: ---- hackage-security-0.5.2.1.tar.gz New: ---- hackage-security-0.5.2.2.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ghc-hackage-security.spec ++++++ --- /var/tmp/diff_new_pack.tGvGVl/_old 2016-10-19 13:04:14.000000000 +0200 +++ /var/tmp/diff_new_pack.tGvGVl/_new 2016-10-19 13:04:14.000000000 +0200 @@ -19,15 +19,14 @@ %global pkg_name hackage-security %bcond_with tests Name: ghc-%{pkg_name} -Version: 0.5.2.1 +Version: 0.5.2.2 Release: 0 Summary: Hackage security library License: BSD-3-Clause -Group: System/Libraries +Group: Development/Languages/Other Url: https://hackage.haskell.org/package/%{pkg_name} Source0: https://hackage.haskell.org/package/%{pkg_name}-%{version}/%{pkg_name}-%{version}.tar.gz BuildRequires: ghc-Cabal-devel -# Begin cabal-rpm deps: BuildRequires: ghc-base16-bytestring-devel BuildRequires: ghc-base64-bytestring-devel BuildRequires: ghc-bytestring-devel @@ -56,7 +55,6 @@ BuildRequires: ghc-tasty-quickcheck-devel BuildRequires: ghc-temporary-devel %endif -# End cabal-rpm deps %description The hackage security library provides both server and client utilities for @@ -90,20 +88,14 @@ %prep %setup -q -n %{pkg_name}-%{version} - %build %ghc_lib_build - %install %ghc_lib_install - %check -%if %{with tests} -%{cabal} test -%endif - +%cabal_test %post devel %ghc_pkg_recache ++++++ hackage-security-0.5.2.1.tar.gz -> hackage-security-0.5.2.2.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/hackage-security-0.5.2.1/ChangeLog.md new/hackage-security-0.5.2.2/ChangeLog.md --- old/hackage-security-0.5.2.1/ChangeLog.md 2016-06-07 23:44:49.000000000 +0200 +++ new/hackage-security-0.5.2.2/ChangeLog.md 2016-08-29 00:57:40.000000000 +0200 @@ -1,3 +1,10 @@ +0.5.2.2 +------- + +* Fix client in case where server provides MD5 hashes + (ignore them, use only SHA256) +* Fix warnings with GHC 8 + 0.5.2.1 ------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/hackage-security-0.5.2.1/hackage-security.cabal new/hackage-security-0.5.2.2/hackage-security.cabal --- old/hackage-security-0.5.2.1/hackage-security.cabal 2016-06-07 23:44:49.000000000 +0200 +++ new/hackage-security-0.5.2.2/hackage-security.cabal 2016-08-29 00:57:40.000000000 +0200 @@ -1,5 +1,5 @@ name: hackage-security -version: 0.5.2.1 +version: 0.5.2.2 synopsis: Hackage security library description: The hackage security library provides both server and client utilities for securing the Hackage package server diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/hackage-security-0.5.2.1/src/Hackage/Security/Client/Formats.hs new/hackage-security-0.5.2.2/src/Hackage/Security/Client/Formats.hs --- old/hackage-security-0.5.2.1/src/Hackage/Security/Client/Formats.hs 2016-06-07 23:44:49.000000000 +0200 +++ new/hackage-security-0.5.2.2/src/Hackage/Security/Client/Formats.hs 2016-08-29 00:57:40.000000000 +0200 @@ -113,4 +113,3 @@ formatsLookup (HFS hf) (FsUn _ ) = hasFormatAbsurd hf formatsLookup (HFS hf) (FsGz _) = hasFormatAbsurd hf formatsLookup (HFS hf) (FsUnGz _ a) = formatsLookup hf (FsGz a) -formatsLookup _ _ = error "inaccessible" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/hackage-security-0.5.2.1/src/Hackage/Security/Client/Repository/Local.hs new/hackage-security-0.5.2.2/src/Hackage/Security/Client/Repository/Local.hs --- old/hackage-security-0.5.2.1/src/Hackage/Security/Client/Repository/Local.hs 2016-06-07 23:44:49.000000000 +0200 +++ new/hackage-security-0.5.2.2/src/Hackage/Security/Client/Repository/Local.hs 2016-08-29 00:57:40.000000000 +0200 @@ -92,8 +92,6 @@ verifyLocalFile (LocalFile fp) trustedInfo = do -- Verify the file size before comparing the entire file info sz <- FileLength <$> getFileSize fp - if sz /= fileInfoLength + if sz /= fileInfoLength (trusted trustedInfo) then return False - else knownFileInfoEqual info <$> computeFileInfo fp - where - info@FileInfo{..} = trusted trustedInfo + else compareTrustedFileInfo (trusted trustedInfo) <$> computeFileInfo fp diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/hackage-security-0.5.2.1/src/Hackage/Security/Client/Repository/Remote.hs new/hackage-security-0.5.2.2/src/Hackage/Security/Client/Repository/Remote.hs --- old/hackage-security-0.5.2.1/src/Hackage/Security/Client/Repository/Remote.hs 2016-06-07 23:44:49.000000000 +0200 +++ new/hackage-security-0.5.2.2/src/Hackage/Security/Client/Repository/Remote.hs 2016-08-29 00:57:40.000000000 +0200 @@ -652,9 +652,10 @@ verifyRemoteFile :: RemoteTemp typ -> Trusted FileInfo -> IO Bool verifyRemoteFile remoteTemp trustedInfo = do sz <- FileLength <$> remoteSize remoteTemp - if sz /= fileInfoLength + if sz /= fileInfoLength (trusted trustedInfo) then return False - else withRemoteBS remoteTemp $ knownFileInfoEqual info . fileInfo + else withRemoteBS remoteTemp $ + compareTrustedFileInfo (trusted trustedInfo) . fileInfo where remoteSize :: RemoteTemp typ -> IO Int54 remoteSize DownloadedWhole{..} = getFileSize wholeTemp @@ -679,8 +680,6 @@ , temp ] - info@FileInfo{..} = trusted trustedInfo - {------------------------------------------------------------------------------- Auxiliary: multiple exit points -------------------------------------------------------------------------------} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/hackage-security-0.5.2.1/src/Hackage/Security/Client.hs new/hackage-security-0.5.2.2/src/Hackage/Security/Client.hs --- old/hackage-security-0.5.2.1/src/Hackage/Security/Client.hs 2016-06-07 23:44:49.000000000 +0200 +++ new/hackage-security-0.5.2.2/src/Hackage/Security/Client.hs 2016-08-29 00:57:40.000000000 +0200 @@ -332,7 +332,13 @@ DontCache -> Nothing -- | Get all cached info (if any) -getCachedInfo :: (Applicative m, MonadIO m) => Repository down -> m CachedInfo +getCachedInfo :: +#if __GLASGOW_HASKELL__ < 800 + (Applicative m, MonadIO m) +#else + MonadIO m +#endif + => Repository down -> m CachedInfo getCachedInfo rep = do (cachedRoot, cachedKeyEnv) <- readLocalRoot rep cachedTimestamp <- readLocalFile rep cachedKeyEnv CachedTimestamp @@ -353,8 +359,10 @@ readCachedJSON rep KeyEnv.empty cachedPath return (trustLocalFile signedRoot, rootKeys (signed signedRoot)) -readLocalFile :: ( FromJSON ReadJSON_Keys_Layout (Signed a) - , MonadIO m, Applicative m +readLocalFile :: ( FromJSON ReadJSON_Keys_Layout (Signed a), MonadIO m +#if __GLASGOW_HASKELL__ < 800 + , Applicative m +#endif ) => Repository down -> KeyEnv -> CachedFile -> m (Maybe (Trusted a)) readLocalFile rep cachedKeyEnv file = do diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/hackage-security-0.5.2.1/src/Hackage/Security/TUF/FileInfo.hs new/hackage-security-0.5.2.2/src/Hackage/Security/TUF/FileInfo.hs --- old/hackage-security-0.5.2.1/src/Hackage/Security/TUF/FileInfo.hs 2016-06-07 23:44:49.000000000 +0200 +++ new/hackage-security-0.5.2.2/src/Hackage/Security/TUF/FileInfo.hs 2016-08-29 00:57:40.000000000 +0200 @@ -6,6 +6,7 @@ -- * Utility , fileInfo , computeFileInfo + , compareTrustedFileInfo , knownFileInfoEqual , fileInfoSHA256 -- ** Re-exports @@ -61,6 +62,9 @@ fileInfo bs = FileInfo { fileInfoLength = FileLength . fromIntegral $ BS.L.length bs , fileInfoHashes = Map.fromList [ + -- Note: if you add or change hash functions here and you want to + -- make them compulsory then you also need to update + -- 'compareTrustedFileInfo' below. (HashFnSHA256, Hash $ BS.C8.unpack $ Base16.encode $ SHA256.hashlazy bs) ] } @@ -69,11 +73,34 @@ computeFileInfo :: FsRoot root => Path root -> IO FileInfo computeFileInfo fp = fileInfo <$> readLazyByteString fp --- | Compare known file info +-- | Compare the expected trusted file info against the actual file info of a +-- target file. -- --- This should be used only when the FileInfo is already known. If we want to --- compare known FileInfo against a file on disk we should delay until we know --- have confirmed that the file lengths don't match (see 'verifyFileInfo'). +-- This should be used only when the 'FileInfo' is already known. If we want +-- to compare known 'FileInfo' against a file on disk we should delay until we +-- have confirmed that the file lengths match (see 'downloadedVerify'). +-- +compareTrustedFileInfo :: FileInfo -- ^ expected (from trusted TUF files) + -> FileInfo -- ^ actual (from 'fileInfo' on target file) + -> Bool +compareTrustedFileInfo expectedInfo actualInfo = + -- The expected trusted file info may have hashes for several hash + -- functions, including ones we do not care about and do not want to + -- check. In particular the file info may have an md5 hash, but this + -- is not one that we want to check. + -- + -- Our current policy is to check sha256 only and ignore md5: + sameLength expectedInfo actualInfo + && sameSHA256 expectedInfo actualInfo + where + sameLength a b = fileInfoLength a + == fileInfoLength b + + sameSHA256 a b = case (fileInfoSHA256 a, + fileInfoSHA256 b) of + (Just ha, Just hb) -> ha == hb + _ -> False + knownFileInfoEqual :: FileInfo -> FileInfo -> Bool knownFileInfoEqual a b = (==) (fileInfoLength a, fileInfoHashes a) (fileInfoLength b, fileInfoHashes b)